b'Final Assessment Report 06-06, September 22, 2006, \xe2\x80\x9cWebTrust Pre-Assessment of\nGPO Certificate Authorities\xe2\x80\x9d\n\n\nGPO implemented a Public Key Infrastructure (PKI) to support its \xe2\x80\x9cborn digital and\npublished to the web\xe2\x80\x9d methodology to meet GPO customer expectations that documents\nare official and authentic. The GPO PKI also directly supports GPO\xe2\x80\x99s mission related to\nelectronic information dissemination and e-government. The GPO PKI recently became\ncross-certified with the Federal Bridge Certificate Authority (FBCA) whose certification\nprovisions require that the GPO PKI undergo a compliance review. To satisfy this\ncompliance requirement, the GPO Office of Inspector General (OIG) tasked an\nindependent public accounting firm to conduct a WebTrust assessment of its Certificate\nAuthorities (CA). The assessment was conducted in accordance with the American\nInstitute of Certified Public Accountants (AICPA) \xe2\x80\x9cWebTrust Principles and Criteria for\nCertificate Authorities.\xe2\x80\x9d The assessment represents an evaluation of whether GPO\xe2\x80\x99s\nassertions related to the adequacy and effectiveness of controls over its CA operations is\nfairly stated based on underlying principles and evaluation criteria.\n\nThe purpose of the WebTrust pre-assessment was to identify gaps and deficiencies\nbetween the current GPO PKI environment and the required criteria of the WebTrust\nProgram for CA. During the pre-assessment phase, the contractor performed procedures,\nincluding testing where deemed appropriate, on GPO\xe2\x80\x99s CA business processes,\nsupporting applications, and technologies related to GPO\xe2\x80\x99s assertions regarding CA\noperations. The OIG issued a sensitive pre-assessment report which summarized gaps\nand deficiencies identified during the pre-assessment phase and made several\nrecommendations requiring GPO\xe2\x80\x99s attention prior to finalization of the WebTrust\nassessment. The GPO Chief Information Officer concurred with each of the pre-\nassessment recommendations and took corrective actions prior to the final WebTrust\nphase. During the final WebTrust phase, controls were tested to gather support for an\nopinion regarding compliance with applicable WebTrust principles and criteria for\ncertification.\n\x0c'